Netflix vs. Healthcare.gov

The two sites demonstrate two very different approaches to cybersecurity.

Photo illustration by Slate. Screenshots courtesy of healthcare.gov and Netflix.

What could possibly have motivated the Centers for Medicare and Medicaid Services to refuse to release even a single document about the healthcare.gov site’s security in response to a Freedom of Information Act request submitted by the Associated Press? The AP announced that its request had been refused last week and, by way of explanation, cited a statement from CMS spokesman Aaron Albright that “releasing this information would potentially cause an unwarranted risk to consumers’ private information.” It’s hard to imagine that any documents the agency could have released would have generated more doubts about the site’s security than those remarks. The best way to protect the site—and its users—would be to stop defending it against legitimate questions and release some of the requested information.

But if healthcare.gov really has excellent—or even just industry-standard—protective measures in place, then why isn’t the government willing to describe them, even partially? Because they are in some way inadequate and embarrassing? Because there is no site security plan to release? Because CMS actually has developed a secret plan to fight online intruders using revolutionary new top-secret technology? I’m inclined toward the first explanation, even though my only real reason to doubt the security of the site is precisely the refusal to reveal any information about its protections.

Get Future Tense in your inbox.

The AP rightly lambastes CMS for practicing “security through obscurity” and relying on secrecy rather than effective security controls to protect the site. After all, responding to the FOIA request would not have had to mean releasing a road map for attackers detailing how best to steal data from the site. Instead, the agency could have released some documents describing the general sorts of mechanisms in place to protect the data entered into the site and perhaps updating the January statistic from Fryer about how many—if any—successful attacks it has experienced. That response would probably have generated a lot less interest than this refusal, even though it likely wouldn’t have told us very much about the actual state of the site’s security—maybe even less than we’re inferring now, as we wonder what CMS has to hide.

Of course, it’s also possible that the agency doesn’t have anything to hide—that its staffers truly believe the best way to secure a website is to be as secretive as possible about its protections. That mindset is an interesting contrast to the decision that the Netflix security team made on Monday to publicly release the code for two of its own security tools. The two applications, called Scumblr and Sketchy, are intended to help defenders search the Web specifically to collect information about potential threats and malicious websites. “Scumblr and Sketchy are helping the Netflix security team keep an eye on potential threats to our environment every day,” Netflix cloud security team members Andy Hoernecke and Scott Behrens write at the end of the blog post. “We hope that the open source community can find new and interesting uses for [them].”

Releasing some open-source security tools that your site uses is not the same as detailing your entire security plan, but it’s telling that Netflix is willing to volunteer information about some of its security practices while CMS is not. Netflix, which is not subject to FOIA, is talking about it—and the implication is that it is confident in its security and proud of the tools it’s developed. Healthcare.gov, on the other hand, is not coming off as confident—let alone proud.

So the contrasting decisions by Netflix and CMS end up suggesting different levels of confidence. But they also suggest two totally different attitudes about information security. The Netflix announcement is indicative of an outlook in which defenders view the outside world as largely composed of allies, or people who face similar security problems and who can learn from their tools and security decisions, or even provide useful critiques and suggestions. The CMS approach, however, suggests a defender that views the rest of the world as a large population of potential attackers, liable to seize any provided information and immediately use it for evil.

Certainly, there are bad guys out there, and Netflix knows that every bit as well as the government. But those bent on serious criminal activity will probably be able to figure out many of the security measures healthcare.gov is using just by testing different ways of trying to access it. So if those measures are any good, they won’t depend too heavily on being kept secret in order to be effective, just like Scumblr and Sketchy will continue to gather useful threat intelligence information for the Netflix security team even after being posted on GitHub. And if CMS really has developed a secret plan, if it’s actually got cool new security tools protecting healthcare.gov that no one else knows about, maybe it should consider following Netflix’s example and releasing more information, not less, so that other organizations trying to protect sensitive information and health care data can learn from them.

There’s a certain irony in a private company taking steps toward providing a public service by voluntarily releasing some security information about how it protects its site and its customers while a public government agency refuses to release so much as a single high-level document even when explicitly requested to do so under FOIA. The CMS decision suggests a considerable lack of confidence in its own security measures, but it also represents a refusal to be part of a larger endeavor, an unwillingness to work with others who handle health care information online, providing guidance, developing common tools, or finding those “new and interesting uses” that might help keep everyone safer.